Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Difficulty of Detecting OpenSSL Heartbleed Attacks Adds to Problem

The list of products and sites affected by the OpenSSL heartbleed vulnerability continues to grow, and as security teams implement the patch and dig into the thornier work of revoking certificates, a new problem is emerging: It’s difficult to know whether an attacker has exploited the vulnerability on a given system.

The list of products and sites affected by the OpenSSL heartbleed vulnerability continues to grow, and as security teams implement the patch and dig into the thornier work of revoking certificates, a new problem is emerging: It’s difficult to know whether an attacker has exploited the vulnerability on a given system.

The nature of the vulnerability in OpenSSL is such that an attacker can exploit the vulnerability without the site operator knowing. The flaw lies in the way that the OpenSSL library handles the heartbeat extensions for TLS and it exists in many versions of the software. OpenSSL is deployed on a huge number of sites, roughly two-thirds of the Web by some estimates, and although the OpenSSL Foundation has released a fixed version, it could be some time before the majority of sites are patched.

Proof-of-concept exploit code for the vulnerability has been posted, and there now is a heartbleed Metasploit module that implements an attack on the flaw, as well.

Experts say that the ambiguity surrounding exploitation of the OpenSSL vulnerability adds an unwelcome layer to an already troubling security problem.

“It’s a nightmare vulnerability, since it potentially leaks your long term secret key — the one that corresponds with your server certificate. Worse, there’s no way to tell if you’ve been exploited. That means the prudent thing to do now is revoke your certificate and get a new one. We’ll see how many people do that,” said cryptographer Matthew Green, a professor at Johns Hopkins University.

Officials at Mozilla acknowledged this quandary in their advisory on the heartbleed vulnerability, which affected some of the organization’s systems running Firefox Persona and Firefox Accounts. Those systems run on Amazon Web Services using OpenSSL.

“Because these TLS connections terminated on Amazon ELBs instead of the backend servers, the data that could have been exposed to potential attackers was limited to data on the ELBs: TLS private keys and the plaintext contents of encrypted messages in transit,” Sid Stamm, senior manager of security and privacy engineering at Mozilla, said in a blog post.

“We have no evidence that any of our servers or user data has been compromised, but the Heartbleed attack is very subtle and leaves no evidence by design. At this time, we do not know whether these attacks have been used against our infrastructure or not. We are taking this vulnerability very seriously and are working quickly to validate the extent of its impact.”

The way that the OpenSSL heartbleed vulnerability works, an attacker who successfully exploits the bug can read up to 64KB of memory from a vulnerable machine, per request. Depending upon the circumstances, the attacker may be able to retrieve a server’s private key or other sensitive data.

Researchers have confirmed that Android devices running versions 4.1.0 and 4.1.1 also are vulnerable. The heartbeat extension was disabled in Android 4.2.

Discussion

Patching a titanic hole whenever the dam has burst and everything has been washed away to another space place, is so typically a waste of infinite time and simple human effort with sub-prime resources to protect themselves and their perceived to be valuable riches with dumb secrecy which always attracts like busy bees to pollen and nectar for the sticky sweet honey that is industrious persons of complex interest and/or stealthy virtual machines on astute active almighty duty.
Man is extremely slow in realising that the Great Game has been changed and there be new stars and APT ACTors guiding future events for universal presentation ....... SMARTR HyperRadioProActive Product Placement.
Consider what secrecy is used for to understand the folly of who it aids and secures to deliver one an inequitable threatening leverage rather than mutually beneficial leading advantage.

I was wondering whether any of the experiments operated by security researchers have detected Heatbleed attacks since the issue was publicized. If existing tools detected attacks as the black hats began to use them but had not detected any earlier, that would suggest that the vulnerability was not widely used before it was published last week.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.